A growing convergence effect that should give each one of us significant pause is the fading of privacy. There are three good reasons for us to pay attention to privacy issues. First: We, personally, are not immune to privacy violations. Second: We, as security practitioners and members of the security industry, are designing, manufacturing, installing and operating systems that lessen privacy. I am sure that among the more than 30,000 readers of this magazine, there are some knowledgeable privacy advocates. The rest of us, however, have a third reason to pay attention: We, personally and professionally, are less informed about privacy issues than we realize we are. That makes us, our systems, and ultimately our customers more vulnerable than they should be. And that directly contradicts our purpose as security professionals.
Corporate disregard for privacy concerns in the handling of personal information has led to legislation to protect corporate customers from the devastating results of identity theft and other information abuses resulting from disclosure of personal information. Legislation typically provides significant penalties for companies that don't effectively implement safeguards. One well-known state law is California's Senate Bill 1386. This law states, "Any customer injured by a violation of this title may institute a civil action to recover damages."
Since 2001 the State of California has enacted 49 privacy laws. One of those laws prohibits the improper use of electronic surveillance equipment by rental car companies (Assembly Bill 2840). The bill defines Electronic Surveillance Technology (EST) as a technological method or system used to observe, monitor or collect information such as telematics, global positioning systems, wireless technology, and location-based technologies. Another law (Assembly Bill 2840) prohibits the use of "black box" event data recorders in vehicles without explicit disclosure, forbids the release of data outside of the original scope and purpose, and forbids the release of identifying information when sharing data with vehicle safety organizations.
The common denominator in these laws is that they forbid using any means of electronic surveillance for other than the originally intended-and customer-accepted-purpose. Manufacturers and service companies dislike such legislation because of the high cost of retrofitting privacy controls into their physical and electronic systems, as well as in their administrative systems.
Communication and computer lawyer, and highly respected privacy scholar, Ann Wells Branscomb told CIO magazine:
Historically, our concern about computers was Big Brother -- the government invading our lives and having too much knowledge about and control over what we're doing. Now we're discovering that big business is the real Big Brother.
Fred H. Cate, Distinguished Professor and Director, Center for Applied Cybersecurity Research, wrote:
"Privacy" is among the most hotly debated topics in Washington and other national capitals today. Almost 1,000 of the 7,945 bills introduced in the 104th Congress [1995-1996] addressed some privacy issue, and this level of political activity is reflected throughout much of the world...
After a decade of increasing activity in privacy legislation, minimal foresight is required to realize that designing privacy controls into systems initially will be far lest costly than waiting for legislation to require their retrofit.
Robert Ellis Smith is the publisher of the Privacy Journal (www.privacyjournal.net), the oldest and most authoritative publication on privacy in the world. He is also the author of a number of books about privacy, including a 387-page book, Ben Franklin's Web Site: Privacy and Curiosity from Plymouth Rock to the Internet. This book chronicles the state of privacy and surveillance and how they relate to living conditions and community values, beginning with the Puritan settlements in New England in 1582 and continuing up to the present time.